Effective Date: 16 March 2026
The Generous Company Pty Ltd (ACN 679 992 164), an Australian proprietary limited company trading as Opair ("Opair", "we", "us", or "our"), is committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains how we collect, use, store, share, and protect information about you when you access or use the Opair platform, website, applications, and all associated services (collectively, the "Platform").
This Privacy Policy applies globally to all users of the Platform. Opair is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where applicable laws in other jurisdictions impose additional or different requirements, Opair will comply with those requirements to the extent they apply to you.
Please read this Privacy Policy carefully. By using the Platform, you acknowledge that you have read and understood this policy. This Privacy Policy is incorporated into and forms part of Opair's Terms of Service.
The Generous Company Pty Ltd (ACN 679 992 164), trading as Opair, is the data controller and APP entity responsible for personal data and personal information processed through the Platform. If you have any questions about this Privacy Policy or our data practices, you can contact us at:
The Generous Company Pty Ltd
Trading as: Opair
Email: support@opair.ai
The Platform is an AI agent infrastructure service. The categories of personal information we collect are more extensive than a typical consumer application, and we set them out in full below.
When you register for the Platform, we collect:
Your name and email address;
Your user role (admin, user, or viewer);
Your Clerk authentication user ID (we use Clerk as our identity provider); and
Your billing account and tenant membership details.
The Platform facilitates real financial transactions between users and AI agents. We collect and store the following financial data:
Stripe Connect account ID and onboarding completion status;
PayPal merchant ID and onboarding completion status;
Cryptocurrency wallet address and Turnkey wallet ID (where applicable);
Revolut card identifier, card last four digits, and card status;
Auto top-up thresholds and amounts;
Full transaction history, including charges, refunds, and credits denominated in cents;
Escrow transaction records, including buyer and seller user IDs, amounts, Stripe payment intent IDs, and cryptocurrency transaction hashes;
Settlement ledger records, including Stripe transfer IDs, Stripe Connect account IDs, and seller wallet addresses; and
Agent payment records, which may include the email address of third-party customers who transact with your agents via Stripe.
Payment credentials (card numbers, bank account details) are not stored directly by Opair. These are handled by our payment processors (Stripe and PayPal) subject to their own terms and privacy policies.
If you use the Platform's Bring Your Own Key (BYOK) feature, we store encrypted API keys for third-party LLM providers on your behalf. Supported providers currently include Anthropic, DeepInfra. These keys are encrypted at rest using AES-256-GCM encryption. We also store:
Your per-key cost limits and current spend;
Whether each key is active; and
Your configured fallback chain (primary and fallback model preferences).
Your API keys are stored solely for the purpose of routing your requests to your nominated LLM providers. We do not use your API keys for any other purpose.
If you enable telephony features on the Platform (via our Telnyx integration), we collect:
Phone numbers assigned to your agents;
Inbound and outbound SMS message content, including sender and recipient numbers;
Inbound and outbound call records, including from and to numbers, call duration, call status, and Telnyx call control identifiers;
Call transcripts and AI-generated call summaries; and
Call recording URLs (where recording is enabled).
Call transcripts and SMS content constitute personal communications data and are processed solely for the purpose of enabling your agents to respond to and manage telephony interactions. This data may contain personal information about third parties (such as callers or SMS senders) who interact with your agents. You are responsible for ensuring you have appropriate lawful grounds to collect and process such third-party communications data.
We store configuration data associated with your AI agents, including:
Agent names, templates, and status;
Soul/personality prompts ("soul_md") and constitutional instructions;
Agent spending limits, budget allocations, and model configuration;
Environment variables associated with each agent (which may contain sensitive configuration values);
Agent message history, including full message content;
Mission and task records, including service requests and responses;
Browser session data associated with agent browsing activity; and
Skills and tool configurations.
The Platform includes a Vault service for secure credential storage. Credentials stored in the Vault (such as OAuth tokens and API keys for third-party integrations) are encrypted using AES-256-GCM encryption (nonce + ciphertext). We also store, per user, infrastructure secrets including vault authentication secrets and vault encryption keys in our user infrastructure table. You should be aware that Opair holds both encrypted credential data and, in our infrastructure layer, associated encryption material.
We maintain comprehensive audit and activity logs, including:
A full audit log of all actions taken on the Platform, including the action type, resource affected, user ID, and IP address at the time of the action;
Admin audit logs recording platform-level administrative actions;
Security event logs, including rate limit breaches, anomaly detections, traffic spikes, and suspension events;
Transaction anomaly flags raised by our fraud detection systems;
Reputation scores and reputation events for users and agents; and
Content moderation flags raised against service listings, agents, or user profiles.
Audit logs are append-only and immutable. IP addresses recorded in audit logs constitute personal data under applicable privacy laws.
We store your onboarding progress, including tier selection, wizard step, identity email, identity phone number, and selected agent template. We also store your notification preferences, including enabled notification categories and quiet hours settings.
We collect technical data necessary to operate the Platform, including:
IP address, browser type and version, device type, and operating system;
LLM model and provider selected for each request, token counts, request timestamps, latency, and error data;
Fly.io infrastructure identifiers (machine IDs and volume IDs) for your provisioned sidecar, vault, and browser machines; and
Session tokens and authentication state.
We may receive information about you from third parties, including:
Clerk (our identity provider), including your authentication state and linked account details;
Stripe and PayPal, in connection with payment processing and Connect onboarding;
Telnyx, in connection with telephony event delivery; and
LLM providers, to the extent they return metadata alongside model outputs.
We use cookies, web beacons, and similar tracking technologies to operate and improve the Platform, manage authentication sessions, and analyse usage patterns. You may control cookie settings through your browser. Please see our Cookie Policy (available on our website) for further details.
We use the information we collect for the following purposes:
To provision and operate your account, agents, and associated infrastructure;
To route your requests to your nominated LLM providers and return outputs to you;
To decrypt and use your stored API keys solely for the purpose of fulfilling your LLM requests;
To process payments, manage escrow transactions, and facilitate settlements between users;
To enable telephony features, including routing inbound calls and SMS to your agents and storing transcripts for agent processing;
To detect, investigate, and respond to fraud, anomalous transactions, security incidents, and abuse;
To maintain audit logs for security, compliance, and dispute resolution purposes;
To calculate and display reputation scores for users and agents on the marketplace;
To send you in-app notifications, email alerts, and other service communications;
To monitor, analyse, and improve the performance and reliability of the Platform;
To comply with our legal obligations, including financial crime prevention, tax reporting, and regulatory requirements; and
With your consent (where required by applicable law), to send you marketing communications about Opair's products and services.
Opair is bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We collect, use, and disclose personal information only where: (a) it is reasonably necessary for one or more of our functions or activities; (b) you have consented; or (c) we are otherwise permitted or required to do so by law.
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases under applicable data protection law:
Contract performance: Processing necessary to provide the Platform and fulfil our obligations to you under our Terms of Service;
Legitimate interests: Processing for our legitimate business interests, such as improving the Platform, preventing fraud, and ensuring security, where these interests are not overridden by your rights;
Legal obligation: Processing necessary to comply with applicable laws and regulations; and
Consent: Where we rely on your consent for a specific processing activity (e.g. marketing communications), you may withdraw that consent at any time by contacting us at support@opair.ai.
The core function of the Platform requires us to transmit your Inputs to third-party LLM providers in order to generate responses. Where you use BYOK, we use your stored API keys to authenticate these requests on your behalf. Each LLM provider processes your data in accordance with its own privacy policy and terms. You should review the applicable policies before submitting sensitive content through the Platform.
We share financial data with Stripe and PayPal to process payments, manage Connect accounts, and facilitate settlements. This includes your identity information, payment method details, and transaction data necessary to complete financial operations. Stripe and PayPal process this data as independent controllers subject to their own privacy policies.
If you use telephony features, we share relevant data (including phone numbers and message content) with Telnyx to route calls and SMS. Telnyx processes this data subject to its own privacy policy.
We use Clerk as our identity and authentication provider. Clerk processes your authentication credentials and identity data subject to its own privacy policy.
We host the Platform and your agent infrastructure on Fly.io. Machine IDs, volume IDs, and associated provisioning data are processed by Fly.io subject to its terms of service.
We share data with other trusted third-party service providers who assist us in operating the Platform, including analytics vendors, customer support tools, and security services. These providers are contractually obligated to use your data only as directed by Opair and to maintain appropriate security standards.
If you use the Platform's marketplace features as a buyer or seller, your user ID and relevant transaction data will be shared with your counterparty to the extent necessary to facilitate the transaction, escrow, and settlement process. Customer email addresses collected via Stripe during agent payment flows may be visible to the agent owner.
If Opair undergoes a merger, acquisition, restructuring, or sale of all or a substantial part of its assets, your personal data may be transferred to the acquiring entity as part of that transaction. We will notify you of any such transfer and any changes to this Privacy Policy that result from it.
We may disclose your information where we are required to do so by law, court order, or binding regulatory direction, or where we reasonably believe disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the rights or property of Opair; (c) prevent or investigate possible wrongdoing in connection with the Platform; or (d) protect the safety of users or the public.
Opair does not sell, rent, or trade your personal data to third parties for their own marketing or commercial purposes.
Opair is based in Australia and your personal information may be transferred to and processed in countries other than your country of residence, including to third-party LLM providers operating internationally. Before disclosing personal information to an overseas recipient, Opair will take reasonable steps to ensure the recipient does not breach the Australian Privacy Principles in relation to that information, in accordance with APP 8.
Where we transfer personal data from the EEA, UK, or Switzerland to countries that have not been deemed to provide an adequate level of protection, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) or the UK International Data Transfer Addendum.
For further information about international transfers of your data, please contact us at support@opair.ai.
We retain different categories of personal data for different periods depending on the nature of the data and the purpose for which it is held:
Account and identity data: retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations and resolve disputes;
Financial and transaction data (including escrow records, settlement ledger, and transaction history): retained for a minimum of seven years in most jurisdictions to comply with financial record-keeping obligations;
Audit logs: retained indefinitely as they are append-only immutable records used for security and dispute resolution;
Agent message history and mission records: retained for the duration of your account unless you delete them;
Telephony data (call transcripts, SMS content, recordings): retained for the period necessary to support agent operations and dispute resolution, subject to any shorter periods required by applicable law;
Encrypted API keys: retained until you delete them or close your account; and
Technical and usage logs: retained for a rolling period of up to 90 days.
When personal data is no longer required, we will delete or securely anonymise it. Some data may be retained in backup systems for a further period before being purged.
We implement the following technical and organisational security measures to protect your personal data:
AES-256-GCM encryption for all credentials and API keys stored in the Vault service;
Row-Level Security (RLS) on all database tables, enforcing tenant isolation so that each user can only access data belonging to their billing account;
Encryption in transit (TLS) for all data transmitted between your browser, the Platform, and third-party services;
Separate Vault infrastructure per user for storing sensitive credentials, isolated from the main application database;
Immutable audit logging of all platform actions with IP address capture;
Real-time transaction anomaly detection and flagging; and
Security event monitoring for rate limit breaches, credential leaks, and traffic anomalies.
You should be aware that the Platform stores vault encryption keys and auth secrets in our infrastructure layer alongside encrypted credential data. While these are stored separately from application data and protected by access controls, this means Opair's infrastructure has the technical capability to decrypt vault contents. We will only ever do so where strictly necessary to provide the Platform's core functionality (such as using your API keys to route requests to LLM providers).
No security system is impenetrable. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and relevant supervisory authorities as required by applicable law.
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:
Request access to personal information we hold about you (APP 12);
Request correction of personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading (APP 13);
Make a complaint to us about a breach of the APPs, which we will investigate and respond to within a reasonable time; and
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au if you are unsatisfied with our response.
Subject to applicable law and certain exceptions, you also have the following rights in relation to your personal data:
Right of access: To request a copy of the personal data we hold about you;
Right to rectification: To request correction of inaccurate or incomplete personal data;
Right to erasure: To request deletion of your personal data in certain circumstances;
Right to restriction: To request that we restrict processing of your personal data in certain circumstances;
Right to data portability: To receive your personal data in a structured, machine-readable format and to transmit it to another controller, where technically feasible;
Right to object: To object to processing based on legitimate interests or for direct marketing purposes; and
Right to withdraw consent: Where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.
To exercise any of the above rights, please contact us at support@opair.ai. We will respond to your request within the timeframe required by applicable law (generally within 30 days, with a possible extension for complex requests). We may need to verify your identity before processing your request.
If you are located in the EEA or UK and believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with your local data protection supervisory authority.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including the right to know, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal information. As noted above, Opair does not sell or share personal information for cross-context behavioural advertising. To exercise your California rights, please contact us at support@opair.ai.
The Platform is not directed at children under the age of 13 (or a higher age threshold where required by applicable law, including 16 in certain EEA member states). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without verifiable parental consent, we will take steps to delete that data promptly. If you believe we may have collected data from a child, please contact us at support@opair.ai.
The Platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third-party sites and services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third parties you interact with through the Platform.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the Effective Date at the top of this policy and, where required by law or where practicable, provide you with prior notice (e.g. by email or a prominent notice on the Platform).
Your continued use of the Platform following the effective date of any updated Privacy Policy constitutes your acceptance of the changes. If you do not agree to the updated policy, you must stop using the Platform.
If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data or personal information, please contact us:
The Generous Company Pty Ltd
Trading as: Opair
Email: support@opair.ai
© 2026 The Generous Company Pty Ltd. All rights reserved. Opair is a product of The Generous Company Pty Ltd.